[CVE-2020-8162] Circumvention of file size limits in ActiveStorage
1,941 views
Skip to first unread message
Aaron Patterson
May 18, 2020, 11:55:22 AM5/18/20
to ruby-sec...@googlegroups.com, rubyonrail...@googlegroups.com
Circumvention of file size limits in ActiveStorage
There is a vulnerability in ActiveStorage's S3 adapter that allows the Content-Length of a
direct file upload to be modified by an end user. This vulnerability has been assigned the CVE identifier CVE-2020-8162.
Versions Affected: rails < 5.2.4.2, rails < 6.0.3.1
Not affected: Applications that do not use the direct upload functionality of the ActiveStorage S3 adapter.
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1
Impact
------
Utilizing this vulnerability, an attacker can control the Content-Length of an S3 direct upload URL without receiving a
new signature from the server. This could be used to bypass controls in place on the server to limit upload size.
Releases
--------
Rails 5.2.4.3 and 6.0.3.1 are available on RubyGems.
Workarounds
-----------
This is a low-severity security issue. As such, no workaround is necessarily
until such time as the application can be upgraded.
Patches
-------
For developers who are not able to immediately patch their applications,
we are including the following patches for Rails 6.0.3 and Rails 5.2.4.2.
* 5-2-activestorage-s3-adapter.patch
* 6-0-activestorage-s3-adapter.patch
Credits
-------
Thanks to Travis Pew (@travisp) for reporting this issue via our HackerOne bug bounty program and providing a patch.
There is a vulnerability in ActiveStorage's S3 adapter that allows the Content-Length of a
direct file upload to be modified by an end user. This vulnerability has been assigned the CVE identifier CVE-2020-8162.
Versions Affected: rails < 5.2.4.2, rails < 6.0.3.1
Not affected: Applications that do not use the direct upload functionality of the ActiveStorage S3 adapter.
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1
Impact
------
Utilizing this vulnerability, an attacker can control the Content-Length of an S3 direct upload URL without receiving a
new signature from the server. This could be used to bypass controls in place on the server to limit upload size.
Releases
--------
Rails 5.2.4.3 and 6.0.3.1 are available on RubyGems.
Workarounds
-----------
This is a low-severity security issue. As such, no workaround is necessarily
until such time as the application can be upgraded.
Patches
-------
For developers who are not able to immediately patch their applications,
we are including the following patches for Rails 6.0.3 and Rails 5.2.4.2.
* 5-2-activestorage-s3-adapter.patch
* 6-0-activestorage-s3-adapter.patch
Credits
-------
Thanks to Travis Pew (@travisp) for reporting this issue via our HackerOne bug bounty program and providing a patch.
Reply all
Reply to author
Forward
0 new messages